[ReddSmith]

Posting the checksum might also require a note/disclaimer that this method provides a "reasonable" (or even a "high probability") means of verification, but is not a guarantee. I don't know that you could quantify the terms "reasonable" or "high probability", other than that they mean "better than nothing".

Any further steps would add to the Shirt-Pocket personnel task list. For example, they check their web site at least daily to verify the posted checksums. Or develop a process where the user optionally supplies his email address at the time of download; this will cause a checksum to be dynamically generated from the production library authentic copy of the file and sent to the user, bypassing problems from web page hacking.